Cloud Services and Cyber Essentials Plus: What Counts?

Achieving Cyber Essentials Plus certification is a significant milestone for any UK organisation, but in today's cloud-first world, the question of which cloud services fall within scope can be surprisingly complex. Whether you rely on Microsoft 365, Google Workspace, AWS, or a collection of specialist SaaS tools, understanding how these services interact with the certification requirements is essential for a smooth assessment.

This comprehensive guide breaks down exactly what counts when it comes to cloud services and Cyber Essentials Plus, helping you navigate the nuances that trip up so many businesses during their certification journey.

Understanding Scope in a Cloud-First World

The National Cyber Security Centre (NCSC) updated the Cyber Essentials requirements in 2022 to properly address cloud services, and these changes caught many organisations off guard. Previously, companies could argue that cloud services sat outside their scope boundary. That is no longer the case.

Under the current framework, any cloud service where your organisation manages or configures security settings falls within scope. This means virtually every SaaS, PaaS, and IaaS product your team uses on a daily basis needs to be assessed. The only exceptions are services where the provider handles all security configuration with zero input from your side, which in practice is extremely rare.

The Three Categories of Cloud Services

To make sense of what counts, it helps to break cloud services into three distinct categories based on how much security responsibility falls on your organisation.

Category 1: Infrastructure as a Service (IaaS)

IaaS platforms such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform give you the most flexibility but also the most responsibility. When you spin up virtual machines, configure network security groups, or manage storage buckets, all of those configurations fall squarely within your Cyber Essentials Plus scope.

For IaaS, you need to demonstrate that operating systems on virtual machines are kept up to date, firewalls and security groups are properly configured, access controls follow the principle of least privilege, and default passwords have been changed on all services. The assessor will want to see evidence of patch management, access control policies, and network segmentation, just as they would for on-premise infrastructure.

Category 2: Platform as a Service (PaaS)

PaaS offerings like Heroku, Azure App Service, or Google App Engine sit in a middle ground. The provider manages the underlying infrastructure, but you still control application-level security settings, user access, and often network configurations. These services are in scope, and you will need to show that you have configured them securely.

Common PaaS pitfalls include leaving default admin accounts active, not enabling multi-factor authentication where available, and failing to restrict network access to management interfaces. Your assessor will check these configurations during the technical audit.

Category 3: Software as a Service (SaaS)

SaaS is where most confusion arises. Products like Microsoft 365, Salesforce, Slack, Xero, and hundreds of other tools all fall within scope if your organisation manages any security settings within them. Since nearly every SaaS product allows you to configure user accounts, password policies, and sharing settings, almost all SaaS tools are in scope.

What the Assessor Actually Checks

During a Cyber Essentials Plus assessment, the technical auditor will examine your cloud services against the five core controls. Understanding what they look for in each area helps you prepare effectively.

Firewalls and Internet Gateways

For cloud services, this translates to network security groups, web application firewalls, and access control lists. The assessor will check that inbound traffic is restricted to only what is necessary, management ports are not exposed to the public internet, and any network segmentation is properly implemented. On AWS, this means reviewing security groups and NACLs. On Azure, it means checking network security groups and Azure Firewall rules.

Secure Configuration

This is the broadest control and applies to every cloud service in your estate. The assessor will verify that default accounts have been disabled or renamed, unnecessary features and services are turned off, and security settings follow vendor best practices. For Microsoft 365, this might include checking tenant-level sharing settings, Teams guest access policies, and SharePoint external sharing configurations.

User Access Control

Every cloud service must have appropriate access controls. The assessor will check that admin accounts are limited to those who genuinely need them, multi-factor authentication is enabled for all admin accounts (and ideally all users), and leavers have been promptly removed from all cloud services. This last point catches many organisations. When an employee leaves, their Microsoft 365 account might be disabled, but their Trello, Slack, and Canva accounts often remain active for months.

Malware Protection

For cloud services, this control focuses on ensuring that any files uploaded or shared through cloud platforms are scanned for malware. Microsoft 365 includes built-in malware scanning for Exchange Online and SharePoint, but you need to verify it is enabled and functioning. For other cloud services, you may need to demonstrate compensating controls.

Patch Management

With SaaS products, the vendor handles patching the application itself, but you are responsible for ensuring that any client-side software (such as desktop sync clients or browser extensions) is kept up to date. For IaaS and PaaS, you are responsible for patching operating systems and any software you install on those platforms.

Common Cloud Services and Their Scope Implications

Let us walk through the most popular cloud services used by UK businesses and what each one means for your Cyber Essentials Plus assessment.

Microsoft 365

Microsoft 365 is by far the most common cloud service assessed during Cyber Essentials Plus. Your assessor will examine Exchange Online settings including mail flow rules, anti-spam policies, and safe attachments. They will check SharePoint and OneDrive sharing policies, Teams meeting and guest access settings, Azure Active Directory (Entra ID) conditional access policies, and admin role assignments across the tenant.

One frequently missed area is the Microsoft 365 admin centre itself. Many organisations have far too many global administrators, sometimes five or ten people with full admin rights when two would suffice. The assessor will flag this as a user access control failure.

Google Workspace

Google Workspace assessments follow a similar pattern. The assessor will check Google Admin console settings, Gmail security configurations, Drive sharing policies, and user account management. Pay particular attention to Google Groups settings, as misconfigured groups can inadvertently expose data to external users.

AWS, Azure, and Google Cloud

If your organisation uses any of the major cloud infrastructure providers, expect a thorough examination of your configuration. The assessor will review identity and access management (IAM) policies, network security configurations, storage access controls, logging and monitoring setup, and encryption settings for data at rest and in transit.

Accounting and Finance Software

Xero, QuickBooks Online, Sage, and FreeAgent all fall within scope. These platforms hold sensitive financial data, so the assessor will check user access levels, MFA settings, and any integration permissions. Many businesses grant their accountant admin access that persists long after the engagement ends.

CRM and Sales Tools

Salesforce, HubSpot, Pipedrive, and similar platforms are in scope. User access management is critical here, especially ensuring that sales team members who have left the organisation no longer have access to customer data.

Preparing Your Cloud Estate for Assessment

Successful preparation follows a systematic approach. Start by creating a comprehensive inventory of every cloud service your organisation uses. This includes shadow IT, those tools that individual departments have adopted without formal IT approval. Shadow IT is one of the biggest risks during a Cyber Essentials Plus assessment because services you do not know about cannot be properly secured.

Next, review each service against the five controls. For every cloud platform, ask yourself who has admin access and is it justified, whether MFA is enabled for all users (especially administrators), whether default configurations have been reviewed and hardened, whether any unnecessary features or integrations are enabled, and whether user accounts are promptly removed when staff leave.

The Shared Responsibility Model

Understanding the shared responsibility model is crucial for Cyber Essentials Plus. Each cloud service type has a different split between what the provider secures and what you must secure yourself.

Real-World Scenarios: Lessons from UK Assessments

Understanding theory is one thing, but real-world examples illustrate how cloud services create challenges during Cyber Essentials Plus assessments.

Scenario 1: The Marketing Agency

A 25-person London marketing agency thought they were ready for their assessment. Their IT team had secured Microsoft 365, updated all laptops, and configured their firewall correctly. However, the assessor discovered that the design team used Canva Pro, the social media team used Hootsuite and Buffer, the content team used Grammarly Business, and the project management team used Asana and Monday.com. None of these services had MFA enabled, and several had former employees still listed as active users. The agency failed their first attempt and needed two weeks of remediation before passing.

Scenario 2: The Accountancy Firm

A Manchester accountancy firm with 40 staff used Xero for their own finances and had client access to dozens of Xero, QuickBooks, and Sage instances. The question arose: are client accounting platforms in scope? The answer depends on whether the firm manages security settings on those platforms. Since they had admin access to configure user permissions, those platforms were technically in scope. The firm resolved this by documenting which platforms they administered versus those where they held standard user access only.

Scenario 3: The Software Company

A Birmingham software company running their product on AWS had their development, staging, and production environments all in scope. The assessor found that the development environment had relaxed security groups that allowed SSH access from any IP address. Even though this was a non-production environment, it was still connected to the same AWS account and fell within the scope boundary. The company had to tighten development environment security before passing.

Step-by-Step Cloud Audit Process

Follow this process to audit your cloud services before the assessor arrives.

Step 1: Discovery. Use your Single Sign-On (SSO) logs, browser password managers, and financial records (looking for SaaS subscriptions) to build a complete list of cloud services. Do not forget to check expense reports for individually purchased tools.

Step 2: Classification. Categorise each service as IaaS, PaaS, or SaaS. For each one, document what security settings you manage and who the administrators are.

Step 3: Access Review. For every cloud service, export the user list and compare it against your current staff roster. Remove any accounts that belong to former employees or contractors. Reduce admin access to the minimum necessary.

Step 4: MFA Enforcement. Enable multi-factor authentication on every cloud service that supports it. For admin accounts, this is mandatory. For standard user accounts, it is strongly recommended and the assessor will note if it is not enabled.

Step 5: Configuration Review. Check each service against the vendor's security best practices. Microsoft provides a Secure Score tool, Google has Security Centre recommendations, and AWS has Trusted Advisor. Use these tools to identify and fix misconfigurations.

Step 6: Documentation. Prepare evidence for the assessor. This includes screenshots of security settings, user lists, MFA status reports, and admin role assignments. The better your documentation, the faster and smoother the assessment will be.

Cloud Services That Often Catch Organisations Off Guard

Beyond the obvious platforms, several cloud services frequently surprise organisations during assessments. Website content management systems such as WordPress.com or Squarespace are in scope if you manage user accounts. Email marketing tools like Mailchimp or Constant Contact hold customer data and need proper access controls. File sharing services like Dropbox, WeTransfer, or Box often have overly permissive sharing settings. Development tools like GitHub, GitLab, or Bitbucket may contain sensitive code and configuration data. HR platforms like BambooHR or BreatheHR contain extremely sensitive employee data.

Each of these services requires the same rigorous access control, MFA, and secure configuration checks as your primary cloud platforms.

Looking Ahead: Cloud and Cyber Essentials Plus in 2026

The NCSC continues to refine the Cyber Essentials framework to keep pace with cloud adoption. Recent consultations suggest that future updates may include more specific requirements for cloud security posture management, stronger guidance on multi-cloud environments, and additional controls for API security and cloud-to-cloud integrations.

Organisations that build strong cloud security foundations now will find future certifications progressively easier, while those that take shortcuts will face increasing difficulty as requirements tighten.

Frequently Asked Questions

Do free cloud services count? Yes. If your organisation uses a free tier of a cloud service (such as Trello Free or Slack Free), it is still in scope if you manage any security settings on it. Cost has no bearing on scope.

What about personal devices accessing cloud services? If employees access cloud services from personal devices, those devices may fall within scope depending on your BYOD policy. At minimum, you need to ensure that cloud service access from personal devices is controlled through conditional access policies or similar mechanisms.

Can I exclude cloud services from my scope? You can define your scope boundary, but it must make logical sense. You cannot cherry-pick individual services to exclude if they are used for business purposes. The assessor will challenge any scope boundary that appears to artificially exclude services to avoid assessment.

How long does the cloud portion of the assessment take? For a typical SME with ten to fifteen cloud services, expect the cloud assessment to take two to three hours. Organisations with complex multi-cloud environments may need a full day. Preparation and evidence gathering beforehand significantly reduces assessment time.

What happens if I fail the cloud portion? If cloud misconfigurations are found, you will typically be given a remediation window to fix the issues. Most cloud configuration changes can be made quickly, so remediation rarely takes more than a few days. You will then need a re-test of the affected areas, which may incur additional assessment fees.